Security Notice: YSFHQ and Cloudbleed

Announcements which were previously posted on our Drupal and WordPress blogs.
Locked
User avatar
Eric
Senior Veteran
Senior Veteran
Posts: 1547
Joined: Thu Feb 10, 2011 5:30 am
Favorite Aircraft: Super Hornet
Location: Chicago, Illinois
Has thanked: 61 times
Been thanked: 166 times
Contact:

Security Notice: YSFHQ and Cloudbleed

Post by Eric »

Last Thursday night our staff team learned of a security vulnerability in Cloudflare, a service we and millions of other websites (including FitBit, Medium, Yelp, OKCupid, and Uber) use to help ensure your connection to their websites are fast, reliable, and secure. Cloudflare was accidentally leaking potentially sensitive information for an extremely small amount of traffic (0.00003%) between Feb. 13th and 18th due to a software bug. We immediately started investigating the incident to ensure your data was safe and to keep it safe in the future.

On Saturday, Cloudflare let us know that ysfhq.com is not one of the websites that they have discovered leaked data for. We have since confirmed that your data on YSFlight Headquarters remains completely unaffected by this vulnerability after conducting a thorough audit.

YSFlight Headquarters has additional security measures in place to prevent someone gaining access to your forum account, such as conducting certain validation of authentication traffic and limiting "Remember Me" login times to a few days at most. These measures ensure that anyone that did get access to sensitive data would have a difficult time doing anything with it. Check out the phpBB blog to know what more the developers doing to improve security and stability of the software behind YSFHQ.

Other websites you visit likely also utilize Cloudflare, so in light of this news we wanted to share some useful tips on keeping your accounts secure:
  • Don’t reuse passwords across accounts
    • It may seem easy to remember one password, but if a hacker gets hold of that master key, they can access all your accounts. Check out this video to learn more.
    • We recommend a password manager such as LastPass, 1Password, or Encryptr which makes keeping track of all your accounts super easy.
  • Use strong, randomly-generated passwords
    • Strong, complex passwords are much harder to guess, and thus makes your account less likely to be compromised.
    • Password managers make it really easy to generate strong passwords. You can also use trusted websites such as strongpasswordgenerator.com.
  • Change your passwords regularly (every 3 months is a good amount)
    • This helps ensure that any passwords that do get compromised have a limited lifespan.
  • If two-factor authentication (or multi-factor authentication) is available, use it!
    • Accounts using two-factor authentication require both the username/password combo as well as second code, often generated from your phone, in order to login. A hacker would need both your username/password as well as your phone to login.
    • We plan to implement this on YSFHQ when a stable 2FA forum extension is released. When it’s ready, we’ll let you know!
Motivated to change your password on YSFHQ? Click here to do so.

Want to learn more about the bug known as Cloudbleed? Here’s a good non-technical explanation of the situation, and here’s the original post from Cloudflare about it.

Happy flying,

- Eric and the YSFHQ staff
I make this website.
KM6BZH
Contributor
Contributor
Posts: 314
Joined: Sun Jul 24, 2016 11:59 pm
Favorite Aircraft: Mitsubishi Zero
Location: Cupertino, CA
OS: Windows 10
Has thanked: 45 times
Been thanked: 153 times

Re: Security Notice: YSFHQ and Cloudbleed

Post by KM6BZH »

Just a note, I saw that Discord is affected by this leak.
User avatar
Eric
Senior Veteran
Senior Veteran
Posts: 1547
Joined: Thu Feb 10, 2011 5:30 am
Favorite Aircraft: Super Hornet
Location: Chicago, Illinois
Has thanked: 61 times
Been thanked: 166 times
Contact:

Re: Security Notice: YSFHQ and Cloudbleed

Post by Eric »

KM6BZH wrote: Wed Mar 01, 2017 2:49 am Just a note, I saw that Discord is affected by this leak.
Good call, here's their blog post on it: https://blog.discordapp.com/safety-jim- ... a4ecc48298
I make this website.
User avatar
Dragon_Mech
Veteran
Veteran
Posts: 571
Joined: Wed Jul 15, 2015 12:18 pm
Favorite Aircraft: F-14, F-15D&E, SR-71, King Air 200, B737
Location: Mansfield, Mo. USA
OS: Windows 7 Ultimate
Has thanked: 94 times
Been thanked: 127 times

Re: Security Notice: YSFHQ and Cloudbleed

Post by Dragon_Mech »

the two-factor authentication system is a good idea Eric. but how will that affect those of us with out a mobile smart phone or access to high speed internet that is required by security programs?
Owner, Dragonic Machine Industries
Image
User avatar
Eric
Senior Veteran
Senior Veteran
Posts: 1547
Joined: Thu Feb 10, 2011 5:30 am
Favorite Aircraft: Super Hornet
Location: Chicago, Illinois
Has thanked: 61 times
Been thanked: 166 times
Contact:

Re: Security Notice: YSFHQ and Cloudbleed

Post by Eric »

Dragon_Mech wrote: Wed Mar 01, 2017 6:51 am the two-factor authentication system is a good idea Eric. but how will that affect those of us with out a mobile smart phone or access to high speed internet that is required by security programs?
I don't expect that we will make 2FA required, just an option for people to enable on their accounts for extra security. You bring up a good point that 2FA doesn't really work as well for those without access to those things, so that's something I will consider in our search for something.
I make this website.
Locked

Who is online

Users browsing this forum: No registered users and 5 guests